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(54) Distributed payment system for cash-free payment transfers using a purse chip card 

(57) The invention presented describes a distrib- 
uted payment system for cash-free payment with purse 
chip cards using the Net. The system consists of a client 
system which is, for example, installed at the customer 
site and a server system which is, for example, installed 
at the dealer. The client and server systems are con- 
nected over the Net, e.g. the Internet. The client system 
consists of a chip card reader, the software associated 
with this, a client transaction program and, preferably, a 
data processing system. The server system consists of 
a security module, a chip card reader device for the 
security module, a server transaction program and a cli- 
ent surrogate program which represents the client sys- 
tem and, preferably, a data processing system. The 
most important advantage of the distributed system is 
that a payment protocol, independent of any control 
centre, can be used economically for payment on the 
Net between the purchaser and dealer as well as for col- 
lective billing between the dealer and the purse settle- 
ment office. The use of standard components which are 
currently used in local payment terminals means that an 
economical design can be reached both in the dealer 
network nodes (server system) as well as in the pur- 
chaser network nodes (client system). 

Payment using an electronic exchange has the 
advantage over existing cash-fr e payment systems in 
that there is no central control involved in the payment 
procedure, total settlement calculations are possible, a 
cryptographically secure protocol is used and anony- 
mous payments are possible. 
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Description 

[0001] The invention refers to a payment system for 
cash-free payment transfers in a network by means of 
purse chip cards. 

[0002] Modern types of cash-free payment transfers 
are carried out using chip cards. In particular, these are 
electronic purses, credit cards and debit cards. 
[0003] Several different payment transfer applications 
can exist on a chip card, for example electronic purses 
and credit cards. 

[0004] The chip card is initialized before issue to the 
customer, i.e. application data and cryptographic keys 
for securing the transaction are stored on the chip card 
which allow the chip card to be used within the frame- 
work of certain applications. On being issued with the 
card, the customer is informed of the application for 
which the chip card can be used. 
[0005] if a customer wishes to pay for goods at a 
dealer using his/her purse chip card, then this transac- 
tion can be carried out at a payment terminal. The chip 
card is inserted into a chip card reader arranged in the 
payment terminal. Using the chip card reader, data can 
be read from the chip card or data can be written to the 
chip card. With electronic purse applications, the credit 
stored on the chip card is reduced by the amount which 
is to be paid to the shop for the goods. 
[0006] To carry out the described payment procedure, 
the payment terminal has the following components in 
particular: a chip card reader, a keyboard for entering 
data, a display unit to display instructions to the cus- 
tomer, a security module, a communication connection 
to the network and software to control the correspond- 
ing transactions. 

[0007] For local payment procedures at a dealer, all 
components of the payment terminal are integrated into 
one device. 

[0008] The normal methods of payment today in the 
network are payments with credit cards, debit authorisa- 
tions and electronic money. In paying using a credit 
card, the card number is given unsecured to the dealer; 
in payment by means of a debit authorisation, the 
account number is given unsecured to the dealer, and in 
payment using electronic money, a control centre which 
administers the money is intermediately switched. 
[0009] Therefore the task of the invention presented is 
to produce a system and procedure which allows pay- 
ment by means of a purse chip card over a data network 
where the same basic components of a local payment 
terminal as well as the same deduction and administra- 
tion protocols are used between the dealer and the 
deduction office of the purse holder as in the local appli- 
cation. 

[0010] This task is solved by the characteristics of 
claims 1 and 14. Further advantageous developments 
of this invention are presented in the sub-claims. 
[0011] The fundamental advantage of the invention 
presented is that the payment protocol between the pur- 



chaser and the dealer, independent of a control centre, 
plus the calculation of the cumulative deductions 
between the dealer and the purse clearing office can be 
used cheaply for payment in the network. 
5 [001 2] By the use of standard components which are 
used in local payment terminals, a cheap design can be 
achieved both in the dealer's network nodes (server 
system) as well as in the purchaser's network nodes 
(client system). 

10 [001 3] Payments using an electronic purse differ from 
the usual methods of payment over the network in that 

• no control centre is involved in the payment process 
- cumulative deductions are possible 
is - a cryptographically secure protocol is used and 
anonymous payments are possible. 

[0014] In a suitable design of the invention presented, 
the following components are installed at the pur- 
20 chaser/end user (client system): 

1 . A chip card reader for reading from and writing to 
the electronic purse chip card 

2. Software for operating the chip card reader 

25 3. Purchaser transaction software (client transac- 
tion program) 

4. A keyboard for entering customer data, a display 
unit for displaying instructions to the customer and 

5. A communication connection to the network. 

30 

[001 5] If the purchaser/end user has a personal com- 
puter connected to the network, then only components 
1 , 2 and 3 are to be additionally installed. The keyboard, 
display unit and network communication exist as stand- 
35 ard components. 

[0016] The following components are installed at the 
dealer/network server (server system) : 

1. A security module 
40 2. A chip card reader for reading and writing to the 
security module 

3. The software for operating the security module 

4. The communication connection to the network 

5. A dealer transaction program (server transaction 
45 program) to control the transaction, for administra- 
tion and deduction with the purse clearing office 
and 

6. Purchaser surrogate software (client surrogate 
program) to read and write to the electronic purse 

so card, amongst other things. 

[0017] Components 1 to 5 are standard components 
of a local payment terminal i.e. a standard payment ter- 
minal for local operations. These components are 
55 equipped with the purchaser surr gate program (client 
surrogate program). The purchaser surrogate program 
is preferably installed at the dealer. The purchaser 
transaction software and the purchaser surrogate pro- 
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gram are added to the standard components of a local 
payment terminal, in order to maintain a distributed pay- 
ment terminal. 

[001 8] The task of the purchaser transaction software 
in the purchaser's network nodes is 

the transfer of the identification of the chip card to 
the dealer transaction software 

- the transfer of the data packets from the dealer 
transaction program over the chip card reader to 
the purse chip card 

- the transfer of the responses from the chip card to 
the dealer transaction program. 

[001 9] The task of the purchaser surrogate program in 
the dealer's network nodes is 

- the creation of the purse chip card commands 

the transfer of the packets from the dealer transac- 
tion program to the purchaser transaction program 
and 

the transfer of responses from the purchaser trans- 
action program to the general control of the dealer 
transaction program. 

[0020] A payment transaction using a purse chip card 
is created using a cryptographically secure protocol 
between the purse chip card and the security module. 
The key for the cryptographic security is located at the 
terminal points of the protocol, the purse chip card and 
the security module. The protocol between the purse 
chip card and the security module takes place in the 
payment terminal in a local payment terminal. 
[0021 ] The following procedure facilitates this protocol 
between the distributed components of the payment ter- 
minal: 

The purse chip card is identified locally in the net- 
work nodes of the purchaser/end user (client sys- 
tem) through the purchaser transaction program, 
after it is inserted into the chip card reader 
The payment procedure is initiated by the network 
nodes of the dealer/network server (server system) 
by a message to the network nodes of the pur- 
chaser. The purchaser transaction program sends 
the identification data of the purse card to the 
dealer transaction program 
The dealer transaction program and the purchaser 
surrogate program introduce the secured protocol 
between the purse chip card and the security mod- 
ule. The chip card command header data for the 
purse chip card is created in the purchaser surro- 
gate program 

- The data packets of the cryptographically secure 
protocol between the security module and the 
purse chip card are exchanged betw en the pur- 
chaser transaction program and the purchaser sur- 
rogate program over the network and interpreted by 



the dealer transaction program 
- At the end of the cryptographically secure protocol 
between the security module and the purse chip 
card, the cumulative data is supplemented by the 
5 dealer transaction program in the security module 
and the transaction data for the later deduction is 
stored in the dealer's network nodes. 

[0022] A suitable continuation of the invention is pro- 

10 vided for in that the purchaser transaction program and 
the software to operate the chip card reader in the pur- 
chaser's network nodes is loaded in the purchaser's 
network nodes before the start of the payment transac- 
tion from the dealer's network nodes. This can prefera- 

15 bly be carried out by implementing the software in JAVA. 
[0023] Another continuation of the invention is pro- 
vided for in the purchaser transaction program being 
designed to take precautions for deductions from the 
purse chip card in "time cycle operation". This time 

20 cycle operation, which is supported by some of the elec- 
tronic purse chip cards, allows the deduction of a fixed 
amount from the purse chip card per fixed time unit. 
Thus it is possible, for example, to deduct the costs of 
suppliers who wish to deduct the costs of services per 

25 time unit. 

[0024] The invention presented is described in greater 
detail in the following using a drawing where Fig. 1 
shows a schematic representation of a distributed pay- 
ment terminal consisting of a client system and a server 

30 system according to the invention presented. 

[0025] Fig. 1 shows a distributed payment terminal 
with components in the network node of the dealer 1 
(server system) and in the network node of the pur- 
chaser 2 (client system). 

35 [0026] In the network node of the purchaser 2 there is 
a display unit 27 and a keyboard 28. Information is 
shown using the display unit 27. This includes in partic- 
ular the request to make certain payment-specific 
entries using the keyboard 28. The display unit 27 and 

40 the keyboard are controlled using standard terminal 
software 26, for example a PC operating system. 
[0027] The distributed payment terminal can be used 
to give a dealer's customers the opportunity to pay with- 
out using cash within the framework of an electronic 

45 exchange, for the dealer's goods or services. For this 
reason the network node of the dealer 1 and the net- 
work node of the purchaser 2 are connected on-line 
using a central network over the host communication 
modules 19 and 29. 

so [0028] If a cash-free payment procedure is carried out 
using the distributed payment terminal, then in the net- 
work node of the purchaser 2, for example, the amount 
to be paid by the customer will be displayed on the dis- 
play unit 27. By means of the keyboard 28 in the net- 

55 work node of the purchaser 2, the payment type can be 
selected and the amount to be paid can be confirmed. 
[0029] To control the distributed payment terminal 
within the framework of use by the customer, in the net- 
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work node of the dealer 1 the distributed payment termi- 
nal has a dealer transaction program 14 (server 
transaction program) and a purchaser surrogate pro- 
gram 16 (client surrogate program) which basically con- 
sists of a software module. The dealer transaction 
program 14 and the purchaser surrogate software 16 
are stored in the memory of a processing unit in the net- 
work node of the dealer 1 and are used by a processor 
in the processing unit to carry out applications. The 
dealer transaction program 14 exchanges information 
with the different components of the distributed payment 
terminal, particularly with the security module 11 and 
the purchaser surrogate program 16 (client surrogate 
program). 

[0030] The security module 1 1 is controlled by a card 
reader 12 and card reader software 13. The purchaser 
surrogate program 16 is used as a representative of the 
network node of the purchaser 2. It creates and inter- 
prets the command level of the purse chip card 21 and 
communicates with the network node of the purchaser 2 
over the communication module 19. 
[0031 ] In addition, in the network node of the dealer 1 
there is a display unit 17 and a keyboard 18 for commu- 
nicating with the dealer. These are used, for example, 
within the framework of the administration of the net- 
work node of the dealer 1 and for initializing the deduc- 
tion with the purse clearing office. 
[0032] If a customer wants to pay using his/her elec- 
tronic purse which is on the chip card 21, then the cus- 
tomer inserts the chip card 21 into the card reader 22 
and confirms the amount to be paid using the keyboard 
28. The purchaser transaction program 24 carries out 
the procedural stages necessary for reading the identi- 
fication data on the chip card using the card reader soft- 
ware 23. The card reader software 23 sets the card 
reader 22 into a state where the insertion of a chip card 
is expected. After the chip card 21 is inserted into the 
card reader 22 and correct contact is created between 
the chip card 21 and the card reader 22, the card reader 
22 sends corresponding information to the purchaser 
transaction program 24 using the card reader program 
22. 

[0033] Then a payment transaction is to be carried out 
where the amount to be paid is deducted from the elec- 
tronic purse on the chip card 21 and the deducted 
amount is stored in the network node of the dealer 1 
along with other transaction data such as chip card 
identification, currency and purse owner, so that the 
dealer later receives this amount transferred from the 
clearing office of the purse owner. 
[0034] In carrying out the procedural stages for 
deducting the amount to be paid from the chip card 21 , 
the security module 1 1 is used for exchanging data rel- 
evant to security and to prevent misuse of the purse. 
[0035] Stored in the security module 1 1 are functions 
and procedures to be carried out, and with whose help 
the deduction of the payment amount from the elec- 
tronic purse of the chip card 21 can be completed, as 



well as cryptographic keys. 

[0036] In addition, cumulative data on transactions 
started with the purse owner since the last deduction 
are held in the security module. Deductions are initiated 
s by the dealer transaction program 14 and cover infor- 
mation exchange between the chip card 21 and the 
security module 1 1 . This information exchange has the 
following step sequence: 

w - The chip card 21 is identified locally in the network 
node of the purchaser 2 by the purchaser transac- 
tion program 24 using the card reader software 23 
after it is inserted into the card reader 22. 
The payment procedure is initiated by the network 

is node of the dealer 1 by a message via the network 
communication modules 19 and 29 to the network 
nodes of the purchaser 2. This message contains, 
amongst other things, the amount. 

- The amount and other relevant information are dis- 
20 played on the display unit 27 in the network node of 

the purchaser 2 and confirmed and optionally sup- 
plemented by the purchaser through entries on the 
keyboard 28. The payment procedure in the net- 
work node of the purchaser 2 is thus initiated. 

25 - The purchaser transaction program 24 sends the 
identification data of the chip card 21 to the pur- 
chaser surrogate program 16 in the network node 
of the dealer 1 over the network communication 
modules 29 and 9. 

30 - The purchaser surrogate program 1 6 interprets the 
identification data and transfers it and the dealer 
transaction program 14. 

- The dealer transaction program 14 initiates the 
secure protocol between the chip card 21 and the 

35 security module 1 1 . The security module creates a 
cryptographically secure message to the purse chip 
card which is transferred over the card reader soft- 
ware to the dealer transaction program. The dealer 
transaction program transfers the message to the 

<o purchaser surrogate program. 

[0037] The chip card command header data for the 
purse chip card is created by the purchaser surrogate 
program. The message is sent via the communication 

45 software to the purchaser transaction program. The pur- 
chaser transaction program transfers the complete 
message to the purse chip card over the card reader 
software. The cryptographically secure response of the 
purse chip card is transferred to the purchaser transac- 

so tion program over the card reader program and it goes 
over the communication software to the purchaser sur- 
rogate program. The purchaser surrogate program 
interprets the protocol data of the response which refers 
to the chip card command and transfers the response to 

55 th dealer transaction program. The dealer transaction 
program interprets the response with regard to the pro- 
tocol between the security module and the purse chip 
card. If the protocol is not complete, then the response 
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is transferred to the security module and the previous 
steps are repeated. If the protocol is complete, then this 
means that the amount is deducted from the purse chip 
card and the cumulative data in the security module is 
supplemented, the dealer transaction program stores 
the transaction data for the later deduction in the net- 
work node of the dealer and ends the payment proce- 
dure. 

[0038] At the end of the day or at a time determined 
by the dealer or the clearing office, the transaction data 
in the network node of the dealer is sent to the clearing 
office of the purse owner for deduction. 

Claims 

1. Distributed payment system (1; 2) for cash-free 
payment transfers by means of a purse chip card 
containing 

a) a client system (2) 
containing 



cc) an input device (27; 28) 

dd) a communication device for connection 
to a data network (29) 

b) a server system (1) 
containing 

aa) a security module (1 1) 

bb) a chip card reader device for reading 
and writing to the security module (12) 

cc) an input device (1 7; 1 8) 



line. 



2. System according to claim 1 , characterised by the 
client system (2) being installed at the customer site 

s and the server system (1) being installed at the 
dealer. 

3. System according to claims 1 or 2, characterised by 
the communication device of the client system (29) 

10 and the server system (19) being connected with 
one another over the Internet. 

4. System according to claims 1 to 3, characterised by 
the client transaction program (24) executing the 

75 identification of the purse chip card to the server 
transaction program (1 4), the transfer of the request 
from the server transaction program via the chip 
card reader to the purse chip card and the transfer 
of the responses from the chip card to the server 

20 transaction program. 



aa) a chip card reader device ( 1 2) for read- 
ing and writing to the electronic purse chip 
card 25 



bb) a client transaction program (24) to 
control the communication of the client 
system components with the server sys- 
tem components 



30 
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System according to claims 1 to 4, characterised by 
the client surrogate program (16) executing the cre- 
ation of the purse chip card commands, the transfer 
of the request from the server transaction program 
(1 4) to the client transaction program and the trans- 
fer of the responses from the client transaction pro- 
gram to the general control of the server transaction 
program. 

System according to claims 1 to 4, characterized by 
the input device of the client system and the server 
system consisting of a display device and a key- 
board. 

System according to claims 1 to 5, characterised by 
the communication device (19; 29), keyboard (18; 
28) and display device (17; 27) being part of a data 
processing device or network computer. 



8. A system according to claims 1 to 6, characterized 
by the server transaction program (14) and the cli- 
ent surrogate program (1 6) being installed in a data 
processing device or network computer of the 
45 server system. 



dd) a server transaction program (1 4) to 9. System according to claims 1 to 8, characterized by 



control the communication of the server 
system components 

ee) a client surrogate program (16) to rep- 
resent the client system 

ff) a communication device for connection 
to a network (19) 

in which the communication device of the 
client system and the server system are 
connected with one another using a data 



the client transaction program and the program for 
controlling the chip card reader being stored in the 
so server system or a server and not being loaded into 
the client system until the initiation of a payment 
process. 

1 0. System according to claims 1 to 9, characterized by 
55 the client transaction program and th program for 
controlling the chip card r ad r being written in the 
JAVA programming language. 



5 



9 



EP0 924 667 A2 



10 



11. System according to claims 1 to 10, characterized 
by the client transaction program having planned 
precautions for debiting from the purse chip card in 
time-cycle mode. 

5 

12. System according to claims 1 to 1 1, characterized 
by the chip card reader device containing a pro- 
gram for controlling the chip card reader in reading 
and writing to the purse chip card. 

w 

13. A system according to claims 1 to 12, characterized 
by the chip card reader device containing a pro- 
gram for controlling the security module for reading 
and writing to the security module. 

15 

14. A procedure for cash-free payment using a purse 
chip card with a system according to claims 1 , 2, 3, 
6 to 13, containing the following steps: 

a) Insertion of the purse chip card (21) in the 20 
chip card reader (22) 

b) Identification of the purse chip card using the 
client transaction program (24) 

25 

c) Initiation of a payment procedure using the 
server system (1) or client system (2) by dis- 
playing the amount on the display device of the 
client system 

30 

d) Confirmation of the amount by the client sys- 
tem (2) 

e) Transfer of the identification data of the 
purse chip card to the client surrogate program 35 
(16) 



k) Interpretation of the response according to 
step j) with regard to the protocol between the 
security module and the purse chip card by the 
server transaction program 

I) if the protocol is not complete, repeat from 

step h) to k) 

or 

m) if the protocol is complete, save the pay- 
ment transaction data using the server transac- 
tion program. 

15. Procedure according to claim 14, characterized by 
the response according to step j) being transferred 
via the card reader program and client transaction 
program to the client surrogate program. 

16. Procedure according to claim 15, characterised by 
the response according to step j) being interpreted 
by the client surrogate program into protocol data 
which refers to the chip card commands. 

17. Procedure according to claims 1 1 to 16, character- 
ized by the payment transaction data according to 
step m) being stored in the server system. 



f) Interpretation of the identification data by the 
client surrogate program and transfer to the 
server transaction program (14) 40 

g) Initiation of the secure protocol between the 
purse chip card (21) and the security module 
(11) using the server transaction program 

45 

h) Creation of a cryptographically secure mes- 
sage by the security module (11) and transfer 
of this message to the client surrogate program 
(16) 

50 

i) Creation of chip card commands for the 
purse chip card (21) by the client surrogate pro- 
gram (16) and transfer of the chip card com- 
mand (23) to the purse chip card (1 1) 

55 

j) Creation of a response by the purse chip card 
and the transfer of this response to the server 
transaction program 
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